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Abstract. Signal Temporal Logic (STL) is a formalism used to rigorously spec¬ 
ify requirements of cyberphysical systems (CPS), i.e., systems mixing digital or 
discrete components in interaction with a continuous environment or analog com¬ 
ponents. STL is naturally equipped with a quantitative semantics which can be 
used for various purposes: from assessing the robustness of a specification to 
guiding searches over the input and parameter space with the goal of falsifying 
the given property over system behaviors. Algorithms have been proposed and 
implemented for offline computation of such quantitative semantics, but only few 
methods exist for an online setting, where one would want to monitor the satis¬ 
faction of a formula during simulation. In this paper, we formalize a semantics for 
robust online monitoring of partial traces, i.e., traces for which there might not be 
enough data to decide the Boolean satisfaction (and to compute its quantitative 
counterpart). We propose an efficient algorithm to compute it and demonstrate 
its usage on two large scale real-world case studies coming from the automotive 
domain and from CPS education in a Massively Open Online Course (MOOC) 
setting. We show that savings in computationally expensive simulations far out¬ 
weigh any overheads incurred by an online approach. 


1 Introduction 

Design engineers for embedded control software typically validate their designs by in¬ 
specting concrete observations of system behavior. For instance, in the model-based 
development (MBD) paradigm, designers have access to numerical simulation tools to 
obtain traces from models of systems. An important problem is then to be able to ef¬ 
ficiently test whether some logical property ip holds for a given simulation trace. It is 
increasingly common [13,9,12,2,15] to specify such properties using a real-time tem¬ 
poral logic such as Signal Temporal Logic (STL) [7] or Metric Temporal Logic (MTL) 
[10]. An offline monitoring approach involves performing an a posteriori analysis on 
complete simulation traces (i.e., traces starting at time 0, and lasting till a user-specified 
time horizon). Theoretical and practical results for offline monitoring [10,5,7,17] fo¬ 
cus on the efficiency of monitoring as a function of the length of the trace, and the size 
of the formula representing the property ip. 

There are a number of situations where offline monitoring is unsuitable. Consider 
the case where the monitor is to be deployed in an actual system to detect erroneous 
behavior. As embedded software is typically resource constrained, offline monitoring - 
which requires storing the entire observed trace - is impractical. Also, when a monitor 


is used in a simulation-based validation tool, a single simulation may run for several 
minutes or even hours. If we wish to monitor a safety property over the simulation, 
a better use of resources is to abort the simulation whenever a violation is detected. 
Such situations demand an online monitoring algorithm, which has markedly different 
requirements. In particular, a good online monitoring algorithm must: (1) be able to 
generate intermediate estimates of property satisfaction based on partial signals, (2) 
use minimal amount of data storage, and (3) be able to run fast enough in a real-time 
setting. 

Most works on online monitoring algorithms for logics such as Linear Temporal 
Logic (LTL) or Metric Temporal Logic (MTL) have focussed on the Boolean satisfac¬ 
tion of properties by partial signals [11,8,18]. However, recent work has shown that 
by assigning quantitative semantics to real-time logics such as MTL and STL, prob¬ 
lems such as bug-finding, parameter synthesis, and robustness analysis can be solved 
using powerful off-the-shelf optimization tools [1,4]. A robust satisfaction value is a 
function mapping a property (p and a trace x(<) to a real number. A large positive value 
suggests that x(f) easily satisfies (p, a positive value close to zero suggests that x(f) is 
close to violating p, and a negative value indicates a violation of p. While the recursive 
definitions of quantitative semantics naturally define offline monitoring algorithms to 
compute robust satisfaction values [10,7,5], there is limited work on an online moni¬ 
toring algorithm to do the same [3]. 

The main technical and theoretical challenge of online monitoring lies in the defi¬ 
nition of a practical semantics for a temporal logic formula over a partial signal, i.e., a 
signal trace with incomplete data which cannot yet validate or invalidate p. Past work 
[8] has identified three views for the satisfaction of a LTL property p over a partial trace 
r: (1) a weak view where the truth value of p over r is assigned to true if there is some 
suffix of r that satisfies p, (2) a strong view when it is defined to be false when some 
suffix of r does not satisfy p and (3) a neutral view when the truth value is defined 
using a truncated semantics of LTL restricted to finite paths. In [11], the authors extend 
the truncated semantics to MTL, and in [3], the authors introduce the notion of a pre¬ 
dictor, which works as an oracle to complete the partial trace and provide an estimated 
satisfaction value. However, such a value cannot be formally trusted in general as long 
as the data is incomplete. 

We now outline our major contributions in this paper. In Section 3, we present robust 
interval semantics for an STL property (p on a partial trace t that unifies the different 
semantic views of real-time logics on truncated paths. Informally, the robust interval 
semantics map a trace x(f) and an STL property p to an interval {£, v), with the in¬ 
terpretation that for any suffix u{t), I is the greatest lower bound on the quantitative 
semantics of the trace x(f), and v is the corresponding lowest upper bound. There is a 
natural correspondence between the interval semantics and three-valued semantics: (1) 
the truth value of p is false according to the weak view iff v is negative, and true oth¬ 
erwise; (2) the truth value is true according to the strong view iff £ is positive, and false 
otherwise; and (3) a neutral semantics, e.g., based on some predictor, can be defined 
when £ <0 < V, i.e., when there exist both suffixes that can violate or satisfy p. 

In Section 4, we present an efficient online algorithm to compute the robust interval 
semantics for bounded horizon formulas. Our approach is based on the offline algorithm 
of [5] extended to work in a fashion similar to the incremental Boolean monitoring 
of STL implemented in the tool AMT [18]. A key feature of our algorithm is that it 
imposes minimal runtime overhead with respect to the offline algorithm, while being 



able to compute robust satisfaction intervals on partial traces. In Section 5, we present 
specialized algorithms to deal with commonly-used unbounded horizon formulas using 
only a bounded amount of memory. 

Finally, we present an implementation and experimental results on two large-scale 
case studies: (i) industrial-scale Simulink models from the automotive domain in Sec¬ 
tion 6, and (ii) an automatic grading system used in a massive online education initiative 
on CPS [14]. Since the online algorithm can abort simulation as soon as the truth value 
of the property is determined, we see a consistent 10%-20% savings in simulation time 
(which is typically several hours) in a majority of experiments, with negligible over¬ 
head (< 1%). In general, our results indicate that the benefits of our online monitoring 
algorithm over the offline approach far outweigh any overheads. 


2 Background 

Interval Arithmetic. We now review interval arithmetic. An interval / is a convex 
subset of R. A singular interval [a, a] contains exactly one point. Intervals (a, a), [a, a), 
(a, a], and 0 denote empty intervals. We enumerate interval operations below assuming 
open intervals. Similar operations can be defined for closed, open-closed, and closed- 
open intervals. 

1. —Ii = (—bi, —cti) 3. Ii (B I 2 = (cti + 02 , bi + 62 ) (2.1) 

2 . c -I- /i = (c -I- Oi, c -I- 5 i) 4. min(/i, 12) = (min(ai, 02), min(&i, 62)) 

/ p j — f ^ if min(&i, 62) < niax(ai, 02) 

■ ^ ^ ~ 1 (max(oi,a 2 ),min( 6 i, 62 )) otherwise. 

Definition 1 (Signal). A time domain 7~ is a finite or infinite set of time instants such 
that T C R-O with 0 € 7^. A signal x is a function from T to X. Given a time domain 
T) a partial signal is any signal defined on a time domain T' C 'f. 

Simulation frameworks typically provide signal values at discrete time instants, usu¬ 
ally this is a by-product of using a numerical technique to solve the differential equa¬ 
tions in the underlying system. These discrete-time solutions are assumed to be sampled 
versions of the actual signal, which can be reconstructed using some form of interpo¬ 
lation. In this paper, we assume constant interpolation to reconstruct the signal x(f), 
i.e., given a sequence of time-value pairs (fg, xg),..., (f„, x„), for all t € [fg, f„), we 
define x(t) = Xi if t € [ti,ti+i), and x(f„) = x„. Further, let Tn Q T represent the 
finite subset of time instants at which the signal values are given. 

Signal Temporal Logic. We use Signal Temporal Logic (STL) [7] to analyze time- 
varying behaviors of signals. We now present its syntax and semantics. A signal predi¬ 
cate /r is a formula of the form /(x) > 0 , where x is a variable that takes values from 
X, and / is a function from X to R. For a given /, let /inf denote infxgA' /(x), i.e., the 
greatest lower bound of / over X. Similarly, let fsup = /(x). The syntax of an 

STL formula (p is defined in Eq. ( 2 . 2 ). Note that □ and O can be defined in terms of the 
U operator, but we include them for convenience. 

(f ::= p \ \ (fi A (fi \ □(„,„)(/? I 0(u,v)‘P I (2.2) 

Quantitative semantics for timed-temporal logics have been proposed for STL in 
[7]; we include the definition below. 



Definition 2 (Robust Satisfaction Value). The robust satisfaction value is a function 
p mapping p, the signal x, and a time t G T as follows: 


p(/(x) > 0,x,t) 
p(-.V5,x,t) = 

p((/?i A (/? 2 ,x,r) = 

p (□/(/?, x,r) = 

p{Oip,x,t) = 

p((pU/V’,x,r) = 


/Wr)) 

-p(V3,x,t) 

min ( p ( v 3 i , X, r ), p (( p2 , x, r )) 
inf p(p,x,t') 

r'Gr+i 

sup p(p,x,t') 

r'GT+/ 

sup min ( p (' i /', x , Ti ), inf p{p,x,T2) 

riGr+I V '!-2e(T,Ti) 


(2.3) 


Here, the translation from quantitative semantics to the usual Boolean satisfaction 
semantics is that a signal x satisfies an STL formula p at a time r iff the robust satis¬ 
faction value p{p, X, t) > 0. 


3 Robust Interval Semantics 


In what follows, we assume that we wish to monitor the robust satisfaction value of 
a signal over a finite time-horizon Th- We assume that the signal is obtained by ap¬ 
plying piecewise constant interpolation to a sampled signal defined over time-instants 
{fo, ti,... jIn}, such that fjv = Th- In an online monitoring context, at any time ti, 
only the partial signal over time instants {fo, ■■■ ft} is available, and the rest of the 
signal becomes available in discrete time increments. We define robust satisfaction se¬ 
mantics of STL formulas over such partial signals using an interval-based semantics. 
Such a robust satisfaction interval (RoSI) includes all possible robust satisfaction val¬ 
ues corresponding to the suffixes of the partial signal. In this section, we formalize the 
recursive definitions for the robust satisfaction interval of an STL formula with respect 
to a partial signal, and in the next section we will discuss an efficient algorithm to com¬ 
pute and maintain these intervals. 


Definition 3 (Prefix, Completions). Let {fo, ..., L} be a finite set of time instants 
such that ti < Th, and let Xjq jj be a partial signal over the time domain [fo;L]. 
We say that xjo^q is a prefix of a signal x if for all t < ti, x{t) = X[o,i] (t). The 
set of completions of a partial signal X[q jj (denoted by C(x[q jj)) is defined as the set 
{x I X[o,i] is a prefix of x}. 

Definition 4 (Robust Satisfaction Interval (RoSI)). The robust satisfaction interval 
of an STL formula p on a partial signal X[q jj at a time r € [foj fw] on interval I such 
that: 

inf(/) = inf p(p,x,T) and sup(J) = sup p(p,x,T) 

xec(x[o,i]) xeC(x[o,i]) 


Definition 5. We now define a recursive function [p] that maps a given formula p, a 
partial signal xjo^q and a time t & I' to an interval [p]('P, X[o,i], r). 



[p] (/(X[0,i]) > 0,X[o,i],r) 

[p\ (-.^3, X[o,i], r) 

[p\ {ipi A (/32,X[o,i],r) 

[p\ (□/(/?, X[o,i],T) 

[p] 

[P] (t/5lU/V32,X[o,*],T) 


1 [/(x[o,*](t)),/(x[o,*](t))] t e [to,ti] 
[ [/inf,/sup] Otherwise. 

-[p]{p,^[o,i],r) 

min([p] (pi, X[o,*], r), [p] {p 2 , X[o,i], r)) 

inf ([p](v3,X[o,*],t)) 

ttT + i 

sup ([p](v3,X[0,i],T)) 

tGr+I 


sup min 

T 2 €t + / 


/ [p](V52,X[0,*],r2), 

i inf [p](v3i,X[o,,],ri)) 

\ TiG(t,T 2 ) 


(3.1) 


The following lemma that can be proved by induction over the structure of STL 
formulas shows that the interval obtained by applying the recursive definition for [p] is 
indeed the robust satisfaction interval as defined in Def. 4. 


Lemma 1. For any STL formula p, the function [p] {p, X[q jj, r) defines the robust sat¬ 
isfaction interval for the formula p over the signal X[o^i] at time t. 


4 Online Algorithm 

Donze et al. [5] present an offline algorithm for monitoring STL formulas over (piece- 
wise) linearly interpolated signals. A naive implementation of an online algorithm is as 
follows: at time ti, use a modification of the offline monitoring algorithm to recursively 
compute the robust satisfaction intervals as defined by Def. 5 to the signal X[q jj. We 
observe that such a procedure does many repeated computations that can be avoided by 
maintaining the results of intermediate computations. Furthermore, the naive procedure 
requires storing the signal values over the entire time horizon, which makes it memory¬ 
intensive. In this section, we present the main technical contribution of this paper: an 
online algorithm that is memory-efficient and avoids repeated computations. 

As in the offline monitoring algorithm in [5], an essential ingredient of the online 
algorithm is Lemire’s running maximum filter algorithm [16]. The problem this algo¬ 
rithm addresses is the following: given a sequence of values oi,..., a„, find the maxi¬ 
mum (resp. minimum) over all windows of size w, i.e., for all j, max^gj^ Oi (resp. 
minjg[j Qi). We briefly review an extension of Lemire’s algorithm over piecewise- 
constant signals with variable time steps, given as Algorithm 1. The main observation 
in Lemire’s algorithm is that it is sufficient to maintain a descending (resp. ascending) 
monotonic edge (noted F in Algorithm 1) to compute the sliding maxima (resp. min¬ 
ima), in order to achieve an optimal procedure (measured in terms of the number of 
comparisons between elements). 

We first focus on the fragment of STL where each temporal operator is bounded by 
a time-interval I such that sup(/) is finite. The procedure for online monitoring is an 
algorithm that maintains in memory the syntax tree of the formula p to be monitored, 
augmented with some book-keeping information. First, we formalize some notation. 
For a given formula p, let represent the syntax tree of p, and let root (7^) denote 
the root of the tree. Each node in the syntax tree (other than a leaf node) corresponds to 



Algorithm 1: SlidingMax((to, xq), x^v)) 

Input: Window: [o, b] 

Output: Sliding maximum y{t) over times in [io, ^jv] 

1 F := {0} / / F is the set of times representing the monotonic edge 

2 i ~ 0 ; s,t := to — b 

3 while f + a < f iv do 

4 if F / 0 then t min(tnjin(p) — a, — b) else t := U+i — b if t = ti+i — b 

then 

5 while Xi+i > Xmax(F) A F / 0 do 

6 F:= F — max(F) 

7 F:=FU{* + 1}, i:= i + 1 

8 else// Slide window to the right 

9 if s > to then y(s) := else y(to) := Xniin(F) F:= F - min(F), s := 

t 



[0,a] [6, a + c] 


Fig. 1. Syntax tree 7'^ for ip (given in (4.2)) with each node v annotated with hor(v). 

an STL operator -i, V, A, □/ or O/.^ We will use H/ to denote any temporal operator 
bounded by interval I. For a given node v, let op(u) denote the operator for that node. 
For any node u in 7^ (except the root node), let parent(u) denote the unique parent of 

V. 

Algorithm 2 does the online RoSI computation. Like the offline algorithm, it is a 
dynamic programming algorithm operating on the syntax tree of the given STL formula, 
i.e., computation of the RoSI of a formula combines the RoSIs for its constituent sub¬ 
formulas in a bottom-up fashion. As computing the RoSI at a node v requires the RoSIs 
at the child-nodes, this computation has to be delayed till the RoSIs at the children of v 
in a certain time-interval are available. We call this time-interval the time horizon of v 
(denoted hor(u)), and define it recursively in Eq. (4.1). 

( [0] if u = root(7^) 

hor(u) = < / © hor(parent(v)) if v ^ root(7^) and op(parent(u)) = H/ (4.1) 
I hor(parent(u)) otherwise. 

We illustrate the working of the algorithm using a small example then give a brief sketch 
of the various steps in the algorithm. 

Example 1. Consider formula (4.2). We show 7^ and hor(u) for each node u in 7^ in 
Fig. 1. In rest of the paper, we use as a running example"^. 

V - °[0,a] (-'(y > 0) V 0[b,c]ix > 0)) (4.2) 

^ We omit the case of U/ here for lack of space, although the rewriting approach of [5] can also 
be adapted and was implemented in our tool. 

* We remark that ip is equivalent to Q[o,a] {{v > 0) 0[i,^c](® > 0)), which is a common 

formula used to express a timed causal relation between two signals. 








The algorithm augments each node vof%p with a double-ended queue, that we de¬ 
note worklist[u]. Let ip be the subformula denoted by the tree rooted at v. For the partial 
signal X[o i], the algorithm maintains in worklist[u], the RoSI [p]{ip,X[Q^^,t) for each 
t € hor(v) n [fo, ti]. We denote by worklist[-u](f) the entry corresponding to time t in 
worklist[u]. When a new data-point corresponding to the time is available, the 
monitoring procedure updates each [p] {ip, X[q jj, t) in worklist[u] to [p] {ip, X[q , t). 

In Fig. 3, we give an example of a run of the algorithm. We assume that the algo¬ 
rithm starts in a state where it has processed the partial signal X[o^ 2]5 and show the effect 
of receiving data at time-points and The figure shows the states of the work- 
lists at each node of 7{p at these times when monitoring the STL formula (p presented in 
Eq. (4.2). Each row in the table adjacent to a node shows the state of the worklist after 
the algorithm processes the value at the time indicated in the first column. 

The first row of the table shows the snapshot of the worklists at time f 2 - Observe 
that in the worklists for the subformula y > 0, > 0, because a < b, the data required 

to compute the RoSI at to, ti and the time a, is available, and hence each of the RoSIs 
is singular. On the other hand, for the subformula x > 0, the time horizon is \b, a -I- c], 
and no signal value is available at any time in this interval. Thus, at time t2, all elements 
of worklist[va:>o] (xi^f, Xsjp) corresponding to the greatest lower bound and lowest 
upper bound on x. 

To compute the values of > 0) at any time t, we take the supremum over 

values from times t + b to t + c. As the time horizon for the node corresponding to 
0[f, c](a; > 0) is [0,a], t ranges over [0, a]. In other words, we wish to perform the 
sliding maximum over the interval [0 -I- 6 , a -I- c], with a window of length c—b. We can 
use the algorithm for computing the sliding window maximum as discussed earlier in 
this section. One caveat is that we need to store separate monotonic edges for the upper 
and lower bounds of the RoSIs. The algorithm then proceeds upward on the syntax tree, 
only updating the worklist of a node only when there is an update to the worklists of its 
children. 

The second row in each table is the effect of obtaining a new time point (at time 
to) for both signals. Note that this does not affect worklist[uj,>o] or worklist[v^y>o], 
as all RoSIs are already singular, but does update the RoSI values for the node Vx>o- 
The algorithm then invokes Alg. 1 on worklist[v 2 :>o] to update worklist[-uoj^ ^](a;>o)]- 
Note that in the invocation on the second row (corresponding to time to), there is an 
additional value in the worklist, at time to - This leads Alg. 1 to produce a new value of 
SlidingMax (worklist[-!;x>o]: \b^ c]) {to—b), which is then inserted in worklist[uO [6 c]a:>o]- 
This leads to additional points appearing in worklists at the ancestors of this node. 

Einally, we remark that the run of this algorithm shows that at time ^ 4 , the RoSI 
for the formula 1 ^ is [- 2 ,- 2 ], which yields a negative upper bound, showing that the 
formula is not satisfied irrespective of the suffixes of x and y. In other words, the satis¬ 
faction of ip is known before we have all the data required by hor{p). 

Alg. 2 is essentially a procedure that recursively visits each node in the syntax tree 
7^ of the STL formula p that we wish to monitor. Line 4 corresponds to the base case 
of the recursion, i.e. when the algorithm visits a leaf of 7 ^ or an atomic predicates of the 
form /(x) > 0. Here, the algorithm inserts the pair (L+i, x^+i) in worklist[u/(x)>o] if 
ti+i lies inside hor(v/(x)>o)- fn other words, it only tracks a value if it is useful for the 
computing the robust satisfaction interval of some ancestor node. 

Eor a node corresponding to a Boolean operation, the algorithm first updates the 
worklists at the children, and then uses them to update the worklist at the node. If 
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Fig. 2. These plots show the signals x{t) and y{t). Each signal begins at time to — 0, and we 
consider three partial signals: X[o 3 ] (black + blue), and X[q 4 ] (X[o, 3 ] + green), and X[o 5 ] (X[o, 4 ] 
+ red). 



Fig. 3. We show a snapshot of the worklist[ii] maintained by the algorithm for four different 
(incremental) partial traces of the signals x{t) and y{t). Each row indicates the state of worklist[w] 
at the time indicated in the first column. An entry marked — indicates that the corresponding 
element did not exist in worklist[u] at that time. Each colored entry indicates that the entry was 
affected by availability of a signal fragment of the corresponding color. 


the current node represents -itp (Line 5), the algorithm flips the sign of each entry in 
worklist[t;c^]; this operation is denoted as — worklist[t;^]. Consider the case where the 
current node is a conjunction tpi A (p 2 - The sequence of upper bounds and the se¬ 
quence of lower bounds of the entries in worklist[t;(^J and worklist[t;yJ can be each 
thought of as a piecewise-constant signal (likewise for worklist[t;^ 2 ). In Line 11, the al¬ 
gorithm computes a pointwise-minimum over piecewise-constant signals representing 
the upper and lower bounds of the RoSIs of its arguments. Note that if for i = 1, 2, 
if worklist[u,^J has Ni entries, then the pointwise-min would have to be performed at 
most -|-iV 2 distinct time-points. Thus, worklist[z;,^^A¥> 2 ] has at most iVi +N 2 entries. 

A similar phenomenon can be seen in Fig. 3, where computing a max over the worklists 
of c](x>o) leads to an increase in the number of entries in the worklist 

of the disjunction. 

For nodes corresponding to temporal operators, e.g., Ojip, the algorithm first up¬ 
dates worklist[u,^]. It then applies Alg. 1 to compute the sliding maximum over worklist[u,^]. 
Note that if worklist[u<^] contains N entries, so does worklist[uoj^v>]. 

























































































Algorithm 2 : updateWorkList(r;^, L+i, x^+i) 

// is a node in the syntax tree, (ii+i,Xi+i) is a new 


signal time-point 

1 switch f do 

2 

1 case /(x) > 0 

3 


if A+i e hor(v,/,) then 

4 


|_ worklist[w,/,](L+i) := [/(xi+i),/(xi+i)] 

5 

case 

6 


updateWorkList(t^3, ii+i ,Xi+i) 

7 


worklistft,/,] := —worklistft^,] 

8 

case pi A p 2 

9 


updateWorkList(t^3j, A+i, Xi+i) 

10 


updateWorkList(v<p2, A+i, Xi+i) 

ii 


worklistfv,/,] := min(worklist[t^jj], worklist[v^j2]) 

12 

case Ojp 

13 


updateWorkList(v<p, U+i , Xi+i) 

14 

- 

worklistfv,/,] := SlidingMax(worklist[t,^], 7 ) 


A further optimization can be implemented on top of this basic scheme. For a node 
V corresponding to the subformula the first few entries of worklist[r)] (say up to 
time u) could become singular intervals once the required RoSIs for worklist[ti<^] are 
available. The optimization is to only compute SlidingMax over worklist[r!,^] starting 
from u + inf (/). We omit the pseudo-code for brevity. 

5 Monitoring untimed formulas 

If the STL formula being monitored has untimed (i.e. infinite-horizon) temporal op¬ 
erators, a direct application of Alg. 2 requires every node in the sub-tree rooted at the 
untimed operator to have an unbounded time horizon. In other words, for all such nodes, 
the algorithm would have to keep track of every value over arbitrarily long intervals. For 
certain untimed operators and the combinations thereof, we show that we can monitor 
the formulas using only a bounded amount of information. 

First, we introduce some equivalences over intervals a, b, c that we use in the theo¬ 


rem and the proof to follow: 

min(max(a, b), max(a, c)) = max(a, min(&, c)) (5.1) 

min(a, max(6, c)) = max(min(a, b), min(a, c)) (5.2) 

max(max(a, b),c) = max(a, b, c) (5.3) 

min(max(a, 6), a) = a (5.4) 


Theorem 1. For each of the following formulae, where (p and f) are atomic predicates 
of the form /(x) > 0, we can monitor interval robustness in an online fashion using 
constant memory: (1) Hp, Oip, (2) pUf!, (3) 0 ( 1 ^ V Of), 0((/?A Of), (4) 0<>p, OOp, 
and (5) 0((/9 A Of), 0[p V Of). 

Proof In what follows, we use the following short-hand notation: 

Fi = [p](/(x)>0,X[o,„+i],L) <7i = [p](ff(x)>0,X[o,„+i],L) (5.5) 





Note that if z e [0,n], then pi is the same over the partial signal X[o „], i.e., pi = 
[p] (/(x) > 0, X[Q „], ti) (and respectively for qi). We will use this equivalence in several 
of the steps in what follows. 

( 1 ) Up, where p = /(x) > 0. Observe the following; 

[p](V5,X[o,„+i],0) = min p* = min ( rnin p„+i ) (5.6) 

‘ ' ie[0,n+l] V*e[o>"l / 


In the final expression above, observe that the first entry does not contain any Pn+i 
terms, i.e., it can be computed using the data points xi,..., x„ in the partial signal 
X[o^„] itself. Thus, for all n, if we maintain the one interval representing the min of the 
first n values of /(x) as a summary, then we can compute the interval robustness of 
□ (/(x)>0) overx[Q „^i] with the additional data x„+i available at Note for the 
dual formula 0(/(x) > 0), a similar result holds with min substituted by max. 

( 2 ) pUtp, where p = /(x) > 0, and ij} = g{x) > 0. Observe the following: 

[p\{pUtp,xion+i],0) = max minmin p^) (5.7) 

ie[0,n+l] i6[0,i] 

We can rewrite the RHS of Eq. (5.7) to get: 

max max min [ qi, min p,- ), min min p,-, pn+i,qn+i (5.8) 

\ tg[o,»] \ jg[o,t] / \ jg[o,»] J J 


Let Un and Mn respectively denote the first and second underlined terms in the above 
expression. Note that for any n, Un and M„ can be computed only using data xi,..., x„. 
Consider the recurrences M„+i = min(M„,p„_|_i, ( 7 „_|_i) and[/„_|_i = max({7„, 
we can observe that to compute Mn+i and C/„+i, we only need Mn, Un, and x„+i. Fur¬ 
thermore, 17„+i is the desired interval robustness value over the partial signal X[q . 
Thus storing and iteratively updating the two interval-values [/„ and M„ is enough to 
monitor the given formula. 

(3) □(p V Oz/;), where p = /(x) > 0, and ip = g{x.) > 0. Observe the following: 
[p](a(p V O'0),xro,„+i], 0) = min max ( p*, max qj 

ig[0,n-|-l] \ ig[i,n-|-l] 

= min max ( Pi, max qi, q, 

ig[0,n-|-l] V ig[i,n] 



Repeatedely applying the equivalence (5.1) to the outer min in (5.9) we get: 


max I qn+i, mm max I pi, max qj 


ig[0,n+l] 


je[i,n] 


(5.10) 


The inner min simplifies to: 


max 


^gn+i,min 




min 

i€[0,n] 


max 1 Pi, max qj 

j^[i,n] 



(5.11) 


Let Tn denote the underlined term; note that we do not require any data at time tn+i to 
compute it. Using the recurrence Tn+i = max min (p„_|_i, T„)), we can obtain 

the desired interval robustness value. The memory required is that for storing the one 
interval value T„. A similar result can be established for the dual formula 0( fix) > 
0 A □(5(x)>0)). 

( 4 ) □<>((p), where p = /(x) > 0. Observe the following: 

[p](DO(<p,X[o,„+i], 0 ) = min max p^- ( 5 . 12 ) 

ig[0,n-|-l] jg[i,n-|-l] 



Rewriting the outer min operator and the inner max more explicitly, we get: 


min max 

iS[0,rt] 


max Pj,Pn+i 


Pn+1 


Repeatedly using (5.1) to simplify the above underlined term we get: 

( 


min max Pn+i, mm max pj ,Pn+i = Pn+i- 
\ \ ie[o,n] ieh,n] ' 


(5.13) 


(5.14) 


The simplification to Pn+i, follows from (5.4). Thus, to monitor □0(/(x) > 0), we 
do not need to store any information, as the interval robustness simply evaluates to that 
of the predicate /(x) > 0 at time tn+i- A similar result can be obtained for the dual 
formula On(/(x)» 0). 

(5) <>{(p A 0 ( 1 / 1 )), where (p = /(x) >0 1/1 = <>{g(x) >0)). Observe the following: 

[p](0((/?AO(i/i)),X[o,„+i],0) = max (minjpi, max Oj ) ) (5.15) 

i6[0,n+l] \ \ je[j.n+l] / / 

We can rewrite the RHS of Eq. (5.15) as the first expression below. Applying the equiv¬ 
alence in (5.2) and (5.3) to the expression on the left, we get the expression on the 
right. 



'^min (po, max (go, • ■ •, q-n+i)) ^ 


'^min(po,go), • ■ •, min(po, g«+i), ^ 

max 

min (p„, max (g„, g„+i)) 

= max 

min(p„, g„), min(p„ ,qn+i), 


\^min(p„+i,g„+i) ^ 


^min(p„+i,g„+i) y 


(5.16) 

Grouping terms containing Qn+i together and applying the equivalence in (5.2) we get: 
/ /^min(po,(?o),niin(po,(?i), • ■ • ,min(po,(?n),\ \ 

min(pi,(?i),... ,min(pi, 9 „), 


max 


max 


ymin(pn,^n) 

min(g„+i, max(po,pi,... ,p„) ), 
ymin(p„+i,(7„+i) 


(5.17) 


J 


Observe that the first argument to the outermost max can be computed using only 
xi,..., x„. Suppose we denote this term r„. Also note that in the second argument, 
the inner max (underlined) can be computed using only xi,..., x„. Let us denote this 
term by M„. We now have a recurrence relations: 

M„+i = max(M„,p„+i), (5.18) 

T„+i = max(T„,min(g„+i,M„),min(( 7 „+i,p„+i)), (5.19) 

where Tq = min/poj^o) Mq = po- Thus, the desired interval robustness can be 
computed using only two values stored in T„ and M„. The dual result holds for the 
formula V □('*/’)). 


Remarks on extending above result: The result in Theorem 1 can be generalized to allow 
ip and i)) that are not atomic predicates, under following two conditions: 

1. Bounded horizon subformulae condition: For each formula, the subformulae p and 
Ip have a bounded time-horizon, i.e., hor{p) and hor(t/>) are closed intervals. 



tsi + 1 


ti+1 


Timeii: ___ 

worklistfiJi/,] = 1 [5, 5] _ [3, /sup] 


Time ii+i: 
worklistfi;^] ^ 



W(si + 1) yV(si+2) W(si+3) 

2 , /.up] [ 1 ,/sup] [- 1 ,/sup] 


WiU) = 
W(si + 4) 


[3,3] 


[3,3] [2,/sup] [2,/sup] [2,/sup] ( [2./sup] 


W'(3i+.i + l) W'(s^i+2) W'(si4,i+3) W'(ti+i) 


Fig. 4. A depiction of the action of the procedure to update the summary while computing 
[p](□')/), X[o^i], to). Here, W(j) is shorthand for [p]('!/), xp , fj) and W'(j) is shorthand for 
[p](t/),X[o.i+l],/j). 

2. Smallest step-size condition: Consecutive time-points in the signal are at least A 
seconds apart, for some finite Z\, which is known a priori. 

5.1 Generalizing Theorem 1 

Let sub((p) denote the set of all subformulas of (p except p itself. Let last((p) be defined 
as follows: 

last((p) = max sup(hor(t/:)) (5.20) 

The meaning of last((p) is as follows: the last time at which a data value of x is 
required to compute p{p, x, t), is / -|- last((p). For the formula p defined in Eq. (4.2), 
last(:p) — a + c. For the formula ip = □(x > 0), last('!/:) = 00 . In general, for any 
untimed formula p, last((p) is equal to 00 . In Theorem 1, we show that certain classes 
of untimed formulas can be monitored in an online fashion with bounded amount of 
memory. We first define the following quantities: 

Z\ = min(L+i - L) Wcp = max last(V') K — ■ (5.21) 

Here, A represents the smallest time-step in the monitored signal, Wip is the largest 
time horizon of all subformulas of p, and is the largest number of discrete time- 
points for the trace in any interval. 

Theorem 2. Ifw^ is finite, then for each p listed below, we can monitor RoSI of p in 
an online fashion using 0{kip) memory. 

1. Clip (dually OIp) 2. pUip 

3. OOip (dually <>Cip) 4. C(p V •Oip)(dually 0(p A Oip)), 

5. 0(p A 0-0) (dually □((p V 'Oip) 

(5.22) 

Proof. We provide proof sketches. The main argument in each of the proofs is as fol¬ 
lows: For any partial signal X[o^i], there are two cases: The first case is when to >ti — Wip 
By assumption, there are at most kip time-points in the interval [ip, ti]. Thus, in this case, 














Algorithm 3: Computing RoSI for untimed Until 

1 Ul .— ^‘2 •— 

2 foreach j G [si + 1, i] do 

3 ui := min (ui, [p](v9,X[o,i],U)) 

4 \_V2~ sup (u2,min (ui, [pi(V>,X[o,i],U))) 

5 [p](<pUi/),X[o,i],io) := V2 


the worklists at each of the nodes corresponding to ^ G sub((p) have to track at most 
RoSI values in order to compute x, to). 

The second case is when to < ti — w^', this implies that there is a largest time 
in [to,ti,..., ti] such that < ti — w^. For the partial signal X[o,i], at each time t < 
tsi , there is enough information to compute the exact robustness value of each of the 
subformulas of ip. The central step is that for each of the formulas mentioned above, 
the robustness values in the interval [fo, Uj] can be summarized to a single robustness 
value. Furthermore, the interval (UijU] can have at most time-points. Thus, the 
computation of [p]((p,X[o j],fo) can be split into tracking a summary for the interval 
[ts^ , ti] and tracking at most k^ RoSIs in the worklists of the immediate subformulas of 
p in the interval , U]- We now explain how the summary information is maintained 
for each formula. 

(1) [□f/'] We maintain the summary S = mtj^[o,si][p]ii’,^lo,i]jtj), i.e., the infimum 

over all exact robustness values computable over the partial signal X[o^i]. When a new 
time-point (U+i, Xi+i) becomes available, S is updated if there is a new time for 
which [p] (t/>, X[o_i], Ui+i) can be exactly computed; otherwise, the new value is used to 
update all entries [p](V’, X[o_i+i], fj) for tj G U], and a new entry corresponding 

to time ti+i is added to worklist[u^]. Please see Fig. 4 for a depiction of this step. We 
then establish the following: (1) There are at most k^ entries (each corresponding to 
[p](^/’,X[o,i],fj) for tj G {tsi,ti\) in worklist[u^]. This is true because there can be at 
most k^p consecutive time-points that do not update S in any interval of length Wp. (2) 

We show by induction that the inf of S and the entries in worklist[u^] is equal to 

[p](nV’,x[o,*],fo)- 

(2) [ipUt/j] We maintain the following two quantities as the summary: 

(a) = [p](n[o,t,jV3,X[o,i],fo) and (b) = [p]((pU[o,t,jt/’,X[o,i],fo)- In worklist[u^] 

and worklist[u^] we store at most values corresponding to [p]{p, xjo.q, fj) and [p](f/', X[o,i], tj) 
for tj G {ts ^, ti]. The crucial step is to combine S<^ and with the entries in worklist[-u,^] 
and worklist[u^] to obtain [p]{p\J'tp, X[o,i], to). We show that the iterative procedure in 
Algorithm 3 can accomplish this. In its iteration vi is equal to inf \p] {p, xjo.q ,te), 

[0,j] 

and we can show by induction that-U 2 is equal to sup min ( [/3]('i/:, xfq ji, fm), inf [p]{p,xio i],te) 

me[ 0 .j] V ^e[ 0 .m] 

Thus, at the end of the computation, the value computed in V 2 is [p] {pldij}, X[o^i], to). 

(3) [DOi/:] We show that we do not need any additional storage for monitoring p. 

Concretely, we posit that [p](nO^, X[q jj, fo) = [p](t/’, X[o,i], U). We successively rewrite 

[p]{UO'ip, X[o,i] ,to)= inf sup [p]{tp, X[o,i], tf) as follows: 
je[o.i] 



Algorithm 4: Computing RoSI for □((/? V O^/;) 

1 w := S 

2 foreach j € [si + 1, i] do 

3 \_v:= sup([p](i/),X[o,i],fi),inf(u, [p](v9,X[o,i],^j))) 

4 [p](D(vJ VOi/>),X[o,i],fo) := V 


inf sup [p](V’,X[o.i],f^), sup [p](V’,X[o,i],f^),..., sup [p](V’,X[o,i],f^)(3.23) 


inf 


sup([p](V’, X[0,i], u), sup^g[o_,_i] [p] {ip, X[o,i], te)) 
,sup([p](f/',X[o,i],fi), sup^g[i_,_i][p](V’,X[o,i],fr)),..., [p]{ip,X[o,i],te') 


(i24) 


In the above, to go from (5.23) to (5.24), we expand the inner sup expressions, and 
observe that the last term in the inf evaluates to [p]{ip, X[o_i], fi). For the final step, we 
observe that inf(/i, sup(/i, 12 ),..., sup(/i, /„)) = /i, and thus, (5.24) simplifies to 
[p] {ip, X[o,i] ,ti) By duality, a similar proof works for OOip. 

(4) [□((/?VO'i/))] We maintain one quantity as the summary information; S = [p](n[o,si] (v^V 
Oip), X[o^j] ,to). Additionally, we store at most entries corresponding to [p\{p, X[o,i], tj) 

in worklist[v<^] and at most entries corresponding to [p] {ip, X[q jj, tj) in worklist[v^]. 

To compute [p]{p, X[o,i], to), we use Algorithm 4. To complete the proof we observe 
that Algorithm 4 computes expression (5.25) that has nested and alternating sups and 
infs: 

sup ([p](V’,X[o,q,f*),inf ([p]((/?,x[o,i],f*),sup ([p](t/>,X[o,q,fi_i),.. • ,S))) (5.25) 

Using the identity sup (/i, inf (/ 2 , h)) = inf(sup(/i, 12 ), sup(/i, /a)), we can rearrange 
the above expression to obtain: 

^ sup ( [p]{ip, X[o,i] ,U), [p]{p, X[o,i] ,ti)) , 

inf /[p](f/',X[o,i],U), [p](V’,X[o,i],U-i), \ I (5.26) 

\ ([p]('/5,x[o,,],U-i),sup ([p](^/>,X[o,q,U-2), ■ • ■ ,S)) 


By repeated use of this identity on the expression in the second line, we get the expres¬ 
sion inf (max([p]{p,X[o^i],tj), sup [p](V’, X[o,i], Y which is equal to [p](v3, X[o,q, 


fe[o. 




6 Experimental Results 


We implemented Algorithm 2 as a stand-alone tool that can be plugged in loop with any 
black-box simulator and evaluated it using two practical real-world applications. We 
considered the following criteria: (1) On an average, what fraction of simulation time 
can be saved by online monitoring? (2) How much overhead does online monitoring 
add, and how does it compare to a naive implementation that at each step recomputes 
everything using an offline algorithm? 



Requirement 

Num. 

Early 

Simulation Time (hours) 


Traces 

Termination 

Offline 

Online 

^overshoot (^1 ) 

1000 

801 

33.3803 

26.1643 

‘^overshoot (^ 2 ) 

1000 

239 

33.3805 

30.5923 

‘^overshoot (^^3 ) 

1000 

0 

33.3808 

33.4369 

^transient (^ 4 ) 

1000 

595 

33.3822 

27.0405 

‘^transient (^s) 

1000 

417 

33.3823 

30.6134 


Table 1. Experimental results on DEM. 


6.1 Diesel Engine Model (DEM) 

The first case study is an industrial-sized Simulink®model of a prototype airpath sys¬ 
tem in a diesel engine. The closed-loop model consists of a plant model describing 
the airpath dynamics, and a controller implementing a proprietary control scheme. The 
model has more than 3000 blocks, with more than 20 lookup tables approximating high¬ 
dimensional nonlinear functions. Due to the significant model complexity, the speed of 
simulation is about 5 times slower, i.e., simulating 1 second of operation takes 5 sec¬ 
onds in Simulink®. As it is important to simulate this model over a long time-horizon to 
characterize the airpath behavior over extended periods of time, savings in simulation¬ 
time by early detection of requirement violations is very beneficial. We selected two 
parameterized safety requirements after discussions with the control designers, (shown 
in Eq. (6.1)-(6.2)). Due to proprietary concerns, we suppress the actual values of the 
parameters used in the requirements. 

overshoot iPl) — ^[a,fc](^ ^ (6-1) 

‘P transient {P2) = □[a,6](|x| > C (O[o,d]|x| < c)) (6.2) 

Property ipovershoot with parameters pi = (o, b, c) specifies that in the interval 
[a, b], the overshoot on the signal x should remain below a certain threshold c. Property 
^transient with parameters p 2 = (a, b, c, d, e) is a specification on the settling time of 
the signal x. It specifies that in the time interval [o, b] if at some time t, |x| exceeds 
c then it settles to a small region (|x| < e) before t + d. In Table 1, we consider 
three different valuations i^i, V 2 , t's for pi in the requirement <povershootivi), and two 
different valuations ^4, for p 2 in the requirement ptransient {p^)- 

The main reason for the better performance of the online algorithm is that simula¬ 
tions are time-consuming for this model. The online algorithm can terminate a simu¬ 
lation earlier (either because it detected a violation or obtained a concrete robust satis¬ 
faction interval), thus obtaining significant savings. For povershoot{h's), we choose the 
parameter values for a and b such that the online algorithm has to process the entire 
signal trace, and is thus unable to terminate earlier. Here we see that the total overhead 
(in terms of runtime) incurred by the extra book-keeping by Algorithm 2 is negligible 
(about 0.1%). 


6.2 CPSGrader 

CPSGrader [14,6] is a publicly-available automatic grading and feedback generation 
tool for online virtual labs in cyber-physical systems. It employs temporal logic based 





STL Test Bench 

Num. 

Early 

Sim. Time (mins) 

Overhead (secs) 


Traces 

Termination 

Offline 

Online 

Naive 

Alg. 2 

avoid_front 

1776 

466 

296 

258 

553 

9 

avoid_left 

1778 

471 

296 

246 

1347 

30 

avoid_right 

1778 

583 

296 

226 

1355 

30 

hill.climbi 

1777 

19 

395 

394 

919 

11 

hill_climb 2 

1556 

176 

259 

238 

423 

7 

hill.climba 

1556 

124 

259 

248 

397 

7 

filter 

1451 

78 

242 

236 

336 

6 

keepJoump 

1775 

468 

296 

240 

1 .2xl0'‘ 

268 

what_hill 

1556 

71 

259 

253 

1.9xl0'‘ 

1.5x10® 


Table 2. Evaluation of online monitoring for CPSGrader. Each STL Test Bench has an associated 
STL property. 


testers to check for common fault patterns in student solutions for lab assignments. 
CPSGrader uses the National Instruments Robotics Environment Simulator to gener¬ 
ate traces from student solutions and monitors STL properties (each corresponding to a 
particular faulty behavior) on them. In the published version of CPSGrader [14], this is 
done in an offline fashion by first running the complete simulation until a pre-defined 
cut-off and then monitoring the STL properties on offline traces. At a step-size of 5 ms, 
simulating 6 sec. of real-world operation of the system takes 1 sec. for the simulator. 
When students use CPSGrader for active feedback generation and debugging, simula¬ 
tion constitutes the major chunk of the application response time. Online monitoring 
helps in reducing the response time by avoiding unnecessary simulations, giving the 
students feedback as soon as faulty behavior is detected. 

We evaluated our online monitoring algorithm, on the traces and STL properties 
used in the published version of CPSGrader [14,6]. These traces are the result of run¬ 
ning actual student submissions on a battery of tests. Lor lack of space, we refer the 
reader to [14] for details about the tests and STL properties. As an illustrative example, 
we show the keepjDump property in Eq. 6.3: 

V^keepjjump = O[o,60]^[o,5] (bump_right(f) V bump_left(f)) ( 6 . 3 ) 


Lor each STL property. Table 2 compares the total simulation time needed for both 
the online and offline approaches, summed over all traces. Lor the offline approach, a 
suitable simulation cut-off time of 60 sec. is chosen. At a step-size of 5 ms, each trace 
is roughly of length 1000. Lor the online algorithm, simulation terminates before this 
cut-off if the truth value of the property becomes known, otherwise it terminates at the 
cut-off. Table 2 also shows the monitoring overhead incurred by a naive online algo¬ 
rithm that performs complete recomputation at every step against the overhead incurred 
by Alg. 2. Table 2 demonstrates that online monitoring ends up saving up to 24% sim¬ 
ulation time (> 10% in a majority of cases). The monitoring overhead of Alg. 2 is 
negligible (< 1%) as compared to the simulation time and it is less than the overhead 
of the naive online approach consistently by a factor of 40x to 80x. 
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